code-review

This skill is a plausible, high-utility code-review orchestration spec; it does not contain explicit malicious payloads, obfuscated code, or external download-execute vectors. The principal risks are operational: it requires the gh CLI and repository read/write access (including a GitHub token), and it instructs broad scanning of repository contents (files, git blame, PR history) and automatic posting of detailed comments. Those behaviors are consistent with a code-review tool but are high-privilege operations. If deployed, ensure the runtime uses least-privilege GitHub tokens, that outputs are filtered for sensitive contents (secrets), and that posting to PRs is gated (human review or scoped permissions). Overall there is no direct evidence of malware, but the skill's permissions and automated write actions create a meaningful security risk if abused or run in an environment with sensitive repository data.